Password Cracking and Sniffing • Agenda ! ! ! ! !
Storing Passwords on the system Password Cracking on Windows and Linux Defenses against Password cracking Sniffing Defenses against Sniffing
ECE 4883 - Internetwork Security
1
Cracking Passwords • Passwords that can be guessed easily are a problem • Lots of tools available to figure out passwords • L0phtcrack windows password cracker • “John the Ripper” Unix password cracker • Default passwords remaining on a system are a typical vulnerability ECE 4883 - Internetwork Security
2
Password storage • Password files have passwords stored in a hashed or encrypted form • Hash algorithm example is message digest 4 (MD4) • Encrypted algorithm example is Data Encryption Standard (DES) • When you use your password, it is hashed or encrypted and then compared to the stored value • Crackers use a downloaded local copy of password file on their own machine
ECE 4883 - Internetwork Security
3
Storing Passwords • Systems have a file with all hashed/encrypted passwords ! Windows – SAM (Security Accounts Manager) database ! UNIX - /etc/passwd or /etc/shadow
• Access to these files can make it easy for a hacker to break in
ECE 4883 - Internetwork Security
4
Windows Passwords • Security Accounts Manager (SAM) has two versions for each password • LanMan (LM) password version for backward compatibility with windows workgroups • NT Hash – cryptographic hash for windows NT/2000 (Uses MD4) • SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read • Back up copy stored in \WINNT\repair
ECE 4883 - Internetwork Security
5
Using Passwords • System has a hashed/encrypted version of the password stored in a file • On login attempt– ! system hashes/encrypts the password typed in by using for example crypt() function in linux ! Compares hashed/encrypted value to stored hashed/encrypted value ! Idea behind password cracking is to get a copy of the hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compare ECE 4883 - Internetwork Security
6
Password Guessing • Based on Dictionary • Brute Force – Guess every possible combination of characters • Hybrid – Use dictionary but add characters to dictionary entries
ECE 4883 - Internetwork Security
7
Password Cracking • Dictionary Attack ! ! ! ! !
Hackers steal a copy of the stored password file Guess a password (may use a dictionary) Find hash/encrypted value of the guess Compare hash to entries from stored file Continue this till success or out of options for password guesses.
ECE 4883 - Internetwork Security
8
Password retrieval on Windows • Sniff the network for passwords being transmitted • From Administrator’s emergency repair disk • From back-up directory
ECE 4883 - Internetwork Security
9
Password Cracking on Windows • L0phtCrack – lc4 (Windows) ! Available at
[email protected]/research/lc/ ! Password Auditing and Recovery Application ! Default English dictionary 50,000 words ! Does “hybrid” attacks ! Our free trial version does not allow brute force (for $350 can purchase with that capability) ! Works on weaker LanMan (LM) as well as NT hashes ! Can sniff a network for LanMan hashed passwords ! Can download from a local machine or remote computer the hashed password file
ECE 4883 - Internetwork Security
10
L0phtCrack (lc4) • Some statistics (from the website) ! L0phtCrack obtained 18% of the passwords in 10 minutes ! 90% of the passwords were recovered within 48 hours on a Pentium II/300 ! The Administrator and most Domain Admin passwords were cracked
ECE 4883 - Internetwork Security
11
ECE 4883 - Internetwork Security
12
Password Cracking on UNIX • • • • • • • •
John the Ripper Available at http://www.openwall.com/john/ Supports six hashing schemes including XP Old Unix used /etc/passwd to store passwords Password is stored after cryptographically altered Various algorithms (hash/encrypted) used by various Unix platforms /etc/password is readable by everyone Some Unix store in a shadow password file thus /etc/passwd does not contain the passwords since they are instead in /etc/shadow or /etc/secure, only root can access these files • If shadow file used, must have root to copy
ECE 4883 - Internetwork Security
13
Password retrieval on Linux • List of login names and usernames in /etc/passwd • List of encrypted passwords in /etc/shadow • Only /etc/shadow is enough to crack the passwords. • Having both files makes it easier
ECE 4883 - Internetwork Security
14
John the Ripper • Combine information from /etc/passwd and /etc/shadow into one file • Use this file as input for John the Ripper • John can create guesses by ! Using built-in dictionary ! Using account information ! Using brute-force guessing algorithm ECE 4883 - Internetwork Security
15
John the Ripper • Scrambling used for each guess • When a password is cracked, result displayed on screen • During execution of this tool, hitting any key will give current guess and status • Password complexity determines time needed for cracking them ECE 4883 - Internetwork Security
16
Defenses against Password Cracking • • • • • • •
Select good passwords (not dictionary based) Change regularly Use tools to prevent easy passwords Use password cracking tests against own systems Protect system back ups that have password files Unix: activate password shadowing Windows: disable weaker LM authentication if no windows 95/98 machines on network ECE 4883 - Internetwork Security
17
Agenda "Storing Passwords on the system "Password Cracking on Windows and Linux "Defenses against Password cracking • Sniffing • Defenses against Sniffing
ECE 4883 - Internetwork Security
18
Sniffing • Collect information being transmitted on the network • Attacker must be either on source, destination or intermediate network • Sniffed information can be stored/logged
ECE 4883 - Internetwork Security
19
Sniffing traditional LANS • Traditional networks ! Broadcast medium – easy to sniff
attacker
Data A
Data A
H U B
Data A Data A
ECE 4883 - Internetwork Security
20
Sniffing Switched LANS • Switched LANS ! Difficult to do, but possible ! ARP Cache Poisoning - Attacker must inject packets into the network to redirect traffic ! Attacker lies about the MAC address intercepts traffic – ARP tells which MAC address corresponds to which IP address
ECE 4883 - Internetwork Security
21
Sniffing Switched LANS attacker
Data A
S W I T C H
Data A
ECE 4883 - Internetwork Security
22
Sniffit • Easy to use sniffer • Available at: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
• Can be run in interactive mode • Can be used to sniff traditional LANS • For Switched LANS, must be used with ARP Cache Poisoning tools ECE 4883 - Internetwork Security
23
Sniffit • Conditions to use (from the Sniffit web page): ! You should be ROOT on your machine ! The machine has to be connected to a network ! You have to be allowed to sniff (ethical condition)
ECE 4883 - Internetwork Security
24
Sniffit – Interactive mode • All TCP traffic can be viewed in main screen • Traffic from each system and port to each system and port can be seen • Has option to see data in a particular stream flow
ECE 4883 - Internetwork Security
25
ethereal • From http://www.ethereal.com/ • Ethereal is a free network protocol analyzer for Unix and Windows. • It allows you to examine data from a live network or from a capture file on disk. • You can interactively browse the capture data, viewing summary and detail information for each packet. • Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. ECE 4883 - Internetwork Security
Source: www.ethereal.com
26
Source: www.ethereal.com ECE 4883 - Internetwork Security
27
Defense against Sniffing • • • • •
Transmit encrypted data across a network Don’t use telnet, rsh,rlogin Use Secure Shell Use VPNs to encrypt data between systems Use switches instead of hubs – makes sniffing more difficult
ECE 4883 - Internetwork Security
28
Defense against Sniffing • For critical systems ! MAC level filtering on switches ! Restrict MAC addresses that can send and receive data on specific switch plugs ! Hard code ARP tables on critical systems
ECE 4883 - Internetwork Security
29